1. ==========================

  2. Django 2.0.3 release notes

  3. ==========================

  4. 

  5. *March 6, 2018*

  6. 

  7. Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the

  8. latest string translations from Transifex are incorporated.

  9. 

  10. CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters

  11. ===============================================================================================

  12. 

  13. The ``django.utils.html.urlize()`` function was extremely slow to evaluate

  14. certain inputs due to catastrophic backtracking vulnerabilities in two regular

  15. expressions. The ``urlize()`` function is used to implement the ``urlize`` and

  16. ``urlizetrunc`` template filters, which were thus vulnerable.

  17. 

  18. The problematic regular expressions are replaced with parsing logic that

  19. behaves similarly.

  20. 

  21. CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters

  22. ==================================================================================================================

  23. 

  24. If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were

  25. passed the ``html=True`` argument, they were extremely slow to evaluate certain

  26. inputs due to a catastrophic backtracking vulnerability in a regular

  27. expression. The ``chars()`` and ``words()`` methods are used to implement the

  28. ``truncatechars_html`` and ``truncatewords_html`` template filters, which were

  29. thus vulnerable.

  30. 

  31. The backtracking problem in the regular expression is fixed.

  32. 

  33. Bugfixes

  34. ========

  35. 

  36. * Fixed a regression that caused sliced ``QuerySet.distinct().order_by()``

  37.   followed by ``count()`` to crash (:ticket:`29108`).

  38. 

  39. * Prioritized the datetime and time input formats without ``%f`` for the Thai

  40.   locale to fix the admin time picker widget displaying "undefined"

  41.   (:ticket:`29109`).

  42. 

  43. * Fixed crash with ``QuerySet.order_by(Exists(...))`` (:ticket:`29118`).

  44. 

  45. * Made ``Q.deconstruct()`` deterministic with multiple keyword arguments

  46.   (:ticket:`29125`). You may need to modify ``Q``'s in existing migrations, or

  47.   accept an autogenerated migration.

  48. 

  49. * Fixed a regression where a ``When()`` expression with a list argument crashes

  50.   (:ticket:`29166`).

  51. 

  52. * Fixed crash when using a ``Window()`` expression in a subquery

  53.   (:ticket:`29172`).

  54. 

  55. * Fixed ``AbstractBaseUser.normalize_username()`` crash if the ``username``

  56.   argument isn't a string (:ticket:`29176`).
About Sign Up Leave Feedback Contact